i'm fairly sure you can always download the patches directly from the php.net site, or from one of the mirrors for your version of FC.. -bruce -----Original Message----- From: fedora-legacy-list-bounces@xxxxxxxxxx [mailto:fedora-legacy-list-bounces@xxxxxxxxxx]On Behalf Of Michael Mansour Sent: Tuesday, November 08, 2005 1:50 PM To: fedora-legacy-list@xxxxxxxxxx Subject: Fw: [SECURITY] Fedora Core 3 Update: php-4.3.11-2.8 Hi, I'm still running FC1 and FC2 servers and am worried about the issues below, I don't want to be stung by them like I was with the perl exploits earlier (and fixed through the FL contrib by users). Will FL be backporting these fixes asap? Michael. ---------- Forwarded Message ----------- From: "Joseph Orton" <jorton@xxxxxxxxxx> To: fedora-announce-list@xxxxxxxxxx Sent: Tue, 8 Nov 2005 13:11:07 -0500 Subject: [SECURITY] Fedora Core 3 Update: php-4.3.11-2.8 --------------------------------------------------------------------- Fedora Update Notification FEDORA-2005-1061 2005-11-08 --------------------------------------------------------------------- Product : Fedora Core 3 Name : php Version : 4.3.11 Release : 2.8 Summary : The PHP HTML-embedded scripting language. (PHP: Hypertext Preprocessor) Description : PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated webpages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The mod_php module enables the Apache Web server to understand and process the embedded PHP language in Web pages. --------------------------------------------------------------------- Update Information: This update includes several security fixes: - fixes for prevent malicious requests from overwriting the GLOBALS array (CVE-2005-3390) - a fix to stop the parse_str() function from enabling the register_globals setting (CVE-2005-3389) - fixes for Cross-Site Scripting flaws in the phpinfo() output (CVE-2005-3388) - a fix for a denial of service (process crash) in EXIF image parsing (CVE-2005-3353) --------------------------------------------------------------------- * Fri Nov 4 2005 Joe Orton <jorton@xxxxxxxxxx> 4.3.11-2.8 - add security fixes from upstream: * XSS issues in phpinfo() (CVE-2005-3388, #172212) * GLOBALS handling (CVE-2005-3390, #172207) * parse_str() enabling register_globals (CVE-2005-3389, #172209) * exif: infinite recursion on corrupt JPEG (CVE-2005-3353) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ 68724665fc23eb17fd5f6ab53a7a8578 SRPMS/php-4.3.11-2.8.src.rpm 6fe3ca959bf1ac54195cb1a0ece80161 x86_64/php-4.3.11-2.8.x86_64.rpm 52b086b6ae3b62b6b39850694306544f x86_64/php-devel-4.3.11-2.8.x86_64.rpm c6a89e2a4974fa966adf9f1e1d19b1e3 x86_64/php-pear-4.3.11-2.8.x86_64.rpm 495ad7cec5eead31eaf655ecda78ffc4 x86_64/php-imap-4.3.11-2.8.x86_64.rpm 26e0c1d33f77040d732c16f01ecc469c x86_64/php-ldap-4.3.11-2.8.x86_64.rpm 5d99c02f4e8c71762421368f94be7cb6 x86_64/php-mysql-4.3.11-2.8.x86_64.rpm ac907f06ae9ecaa185fdeba117d7a5f4 x86_64/php-pgsql-4.3.11-2.8.x86_64.rpm 4e8d7ee61c64683f5eb90a02fac4c71d x86_64/php-odbc-4.3.11-2.8.x86_64.rpm 2b59cd899b7640ff67918c02f0b83c9b x86_64/php-snmp-4.3.11-2.8.x86_64.rpm 50c12c4604d7fa6ed6d423732dad41cd x86_64/php-domxml-4.3.11-2.8.x86_64.rpm ed79ef8a38f3112fb90b5087730a2372 x86_64/php-xmlrpc-4.3.11-2.8.x86_64.rpm ed7b9255c03b60c57c64ec065b7bcb82 x86_64/php-mbstring-4.3.11-2.8.x86_64.rpm cac58fd700a3e3f5493e37b062407968 x86_64/php-ncurses-4.3.11-2.8.x86_64.rpm 3aefa8e720ef35c0a4a18de7f1dc8736 x86_64/php-gd-4.3.11-2.8.x86_64.rpm 4bd7ffa3c678ae086c9a688bbdedaf67 x86_64/debug/php-debuginfo-4.3.11-2.8.x86_64.rpm b03e664e7299012091046f8c6d4113e5 i386/php-4.3.11-2.8.i386.rpm 7a2f5d835948e35cdd0dd3689b27ffef i386/php-devel-4.3.11-2.8.i386.rpm 0263c49fdf67f20293b70f97536f3343 i386/php-pear-4.3.11-2.8.i386.rpm ebdd6d6529c4348fe2ed7ae3df166acc i386/php-imap-4.3.11-2.8.i386.rpm 3a98ee4ea5066f91dc4d2a19a040f949 i386/php-ldap-4.3.11-2.8.i386.rpm 0f30bca149e3e13a01255b66843bc1e6 i386/php-mysql-4.3.11-2.8.i386.rpm 9193d56cae5d3b292de0b53a33559c2a i386/php-pgsql-4.3.11-2.8.i386.rpm e69f716a3e0115e7143ed79bcc6c93fe i386/php-odbc-4.3.11-2.8.i386.rpm b291a190a62bafa094d193be6f5a16aa i386/php-snmp-4.3.11-2.8.i386.rpm c0422acefee1c4de9ab681c4e23e1233 i386/php-domxml-4.3.11-2.8.i386.rpm 5fafa898dd4512197186ac552566b83b i386/php-xmlrpc-4.3.11-2.8.i386.rpm 746dbb670f222d4b4618ea6d62f1489c i386/php-mbstring-4.3.11-2.8.i386.rpm e28a918dd7533591e376db828b840878 i386/php-ncurses-4.3.11-2.8.i386.rpm f4bb825f723c15f0c86ab87c25483ee1 i386/php-gd-4.3.11-2.8.i386.rpm c68cdde6bf01755485d6e33f1e3c4243 i386/debug/php-debuginfo-4.3.11-2.8.i386.rpm This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. --------------------------------------------------------------------- -- fedora-announce-list mailing list fedora-announce-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-announce-list ------- End of Forwarded Message ------- -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list